Mozilla is going ahead with its plans to enable DNS-over-HTTPS (DoH) by default in its Firefox browser.
The roll-out will start with a small cohort of users in the U.S. – and barring any problems with deployment, it looks set to be extended gradually to Mozilla’s wider user base. Mozilla claims that the change is all about making internet connections more secure and protecting user privacy – but not everyone is happy about it. In the UK especially, there is concern that DoH will stymie the ability of ISPs to filter and track user activity.
Here’s a closer look at how DoH works, the controversy surrounding its deployment and the pros and cons of enabling it.
Add a header to begin generating the table of contents
What is DoH?
The existing Domain Name System (DNS) is the framework in which easy-to-remember website addresses (e.g. stationx.net) are translated into code that devices can read. Type an address in the browser and a request is sent to your local DNS server (most often provided by your Internet Service Provider). The DNS server then searches for and retrieves the numerical IP address of the web server that hosts that specific site.
With standard DNS systems, DNS requests are unencrypted. This makes it vulnerable to various forms of eavesdropping and ‘man-in-the-middle’ hacking attempts. Examples include tunnelling through DNS queries and responses to pass on malware, as well as DNS hijacking, where queries are redirected to a spoof domain server.
Developed by Mozilla, the new system, DNS over HTTPS (DoH) is designed to combat these vulnerabilities. Under it, DNS requests are sent via HTTPS and secured by a Transport Layer Security (TLS) cryptographic protocol. It means that requests are effectively hidden in the huge general stream of HTTPS internet traffic, thereby stopping snoopers from isolating and exploiting those requests.
What’s happening with Firefox and DoH?
Users have been able to explicitly enable DoH on Firefox since the release of v62 in 2018.
In a blog post earlier this month, Mozilla’s Selena Deckelmann confirmed that the company is now ready to start enabling DoH by default. The roll out will start in late September for a small percentage of U.S. users. There will be further announcements when the company is ready for 100% deployment.
Who’s complaining about DoH by default?
Especially in the UK, it’s fair to say that ISPs haven’t welcomed the arrival of DoH with open arms. In fact, Mozilla’s initial announcement of plans for a general roll-out led to a nomination for ‘Internet villain of the year’ by the UK’s ISP Association.
The concern for ISPs is that the new protocol will stop them deploying certain key features such as parental controls and anti-malware filters. With DoH, your DNS queries effectively bypass your ISP’s nameservers. And of course, just as hackers would struggle to isolate individual requests from the general stream of HTTPS traffic, the same goes for ISP providers. DNS-based Internet filtering requires ISPs to be able to see browsing requests at a household level. If ISPs don’t have this visibility, they cannot deliver the function.
It is also claimed that DoH will make life more difficult for governments: something that could be seen as good or bad news, depending on where you stand on the censorship debate! In the UK for instance, the government’s online harms reduction proposals lists ISP blocking of non-compliant sites as a potentially useful enforcement mechanism. The new protocol could effectively blow that out of the water.
For its part, Mozilla rejects the argument that DoH by default will prevent Firefox users from deploying filters. Under its plans, DoH will be automatically disabled on the browser whenever the presence of parental controls is detected. More generally, it will also be disabled if lookup failures occur.
Other issues with DoH
The key feature of DoH is that it bypasses your internal DNS structure completely, as user requests – as requests are fired straight off to Mozilla’s servers of choice (currently Cloudfare). This also means that any security mechanisms you may have in place that also work through the DNS will also be bypassed.
Indeed, for enterprise configurations on Firefox, DoH will not be configured by default (you have to specifically enable it).
Under standard DNS, the server the server that handles a request typically operates inside the ISP’s own network. Under DoH, the request has that little bit further to travel – i.e. to Cloudfare’s servers. The suggestion is that performance will suffer.
In reality, early indications are positive. Sam Knows looked at this recently and found no tangible performance differences between DNS and DNS-over-HTTPS.
How to enable DoH in Firefox
When it comes to Firefox, DoH by default on promises a potentially useful privacy boost, with the added bonus of not having to lift a finger to enable it. That said, once it’s in place on your browser, it’s worth checking any parental controls and other filters you rely on to make sure they are still working.
And of course, if you can’t wait for it to be installed on Firefox by default, you can manually enable it. Here’s how:
- On the Firefox menu, go to Tools and then Preferences.
- In the General section, go to Network Settings and then press Settings.
- Tick the box ‘Enable DNS over HTTPS’.
How to enable DoH in Chrome
In case you are interested in enabling DOH in Chrome it will not be as easy as in Firefox, there is no menu option to enable or disable DOH. Users have to pass a command-line argument to Chrome executable to make it work. This is how to do it in Windows:
- Find the Chrome shortcut you use to start Chrome on your system, it can be on your task bar, desktop, start menu or elsewhere.
- Right click the shortcut and select Properties.
- In the Target field add the following text:
–enable-features=”dns-over-https<DoHTrial” –force-fieldtrials=”DoHTrial/Group1″ –force-fieldtrial-params=”DoHTrial.Group1:server/https%3A%2F%2F184.108.40.206%2Fdns-query/method/POST
- click Save.
Nice one, certainly worth trying.
Thank you Sir
CloudfLare… you mention Cloudfare a few times
Interesting Thank You For Information.
You are welcome.
Is this not what Cisco Umbrella does (OpenDNS) in effect.
No it’s not. Cisco Umbrella is Malware and and Content Filtering through DNS. Doh is encryption of dns communication.
I’m not sure I’m reading Sam Knows’ charts accurately, but it seems majority of Cloudflare requests take about double the time compared to ISP in German. I wonder what’s that for us in Finland..
Is this possible with Chrome running on Debian Linux?
I don’t believe so not yet. But its coming as standard to Chrome so it won’t be long.
Nice Really useful information provided keep providing
Respect to Google Chrome, the Target section wouldn’t take all of this: –enable-features=”dns-over-https<DoHTrial" –force-fieldtrials="DoHTrial/Group1" –force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F220.127.116.11%2Fdns-query/method/POST
I tried to do it in chrome. but its not accepting this.
Works for us. Check your syntax.
so you recommend we turn this on in firefox? thank you.
Only if you want your DNS queries to be confidential and to maintain integrity.
What’s stopping the ISPs coming out with their own DoH systems?
Personally, I’d rather be able to choose my DoH server and not rely on Cloudflare or Google.
I’m not saying they’re bad or anything but not being able to pick from a multitude of servers is a potential security/privacy issue in itself.
This is a good point. The browser will allow you to choose other providers as the functionality is developed.
Hmm… I wonder what CouldLfare is doing with it? Moving trust to a centrally controlled entity just makes that entity more interesting. ClusdlFare is a massive MITM infrastructure, and it’s a US company. I like hiding from my ISP with a common TLS tunnel. But I’m unsure about trusting ColudFlear.
This is a good point. The browsers will allow you to choose other providers as the functionality is developed. Also if you want full privacy you might want a VPN too anyway.
Thank you Nathan,
I’ve got DoH working on Firefox 69.0.2 but I wanted to use TRR mode only (no fallback) to do that, apparently, it is necessary to change three Trusted Recursive Resolver preferences in the browser:
1. Go to about:config in the Firefox address bar and enter trr in the search bar.
2. Search for “network.trr.mode”=3” (set it to 3 to use TRR mode only).
3. Set “network.trr.bootstrapAddress”=”18.104.22.168” (if you set Cloudfare)
4. Do not think it is truly necessary but I added “network.trr.custom_uri”= “https://22.214.171.124/dns-query”
5. To ensure SNI is encrypted search for esni in about:config and
set “network.security.esni.enabled” to “true”
To check if DNS over Https is working correctly you can carry out a security check at:
However, in my case DoH does not work consistently all the time, sometimes it just fails and you get the “Server not found” error.
FWIW. The instructions say “On the Firefox menu, go to Tools and then Preferences.”. On version 69.0.2 on Windows 10, from the menu bar, it’s “Tool and then Options”. From the hamburger icon, it is just Options.
Hi, thx for the info
this works for Brave browser too? (is based in chromium too so if chrome work i guess brave too) what u think about brave browser?
Don’t know. Try it. Let me know.
How about for Opera browser?
Thanks for making me up to date… thanks 🙂
I feel that it will be really hard for me to be a good pentester in the future.
Nice Update sir
So what it actually means is that your ISP WON’T be able to know where you are surfing too, right?
No. It means they won’t be able to see your DNS requests. They will still be able to see the IP where you are going which gives a fair indicator where you are going unless its a shared server. To hide from your ISP you need a VPN, Jondonym, Tor, Shadowsocks etc.
I just did the command line argument for Chrome but it says it is invalid? I just copied and pasted. Exactly word for word. It just won’t accept it.
Make sure to to add space after the target’s address and not paste it right after:)
Interesting, how we can block it in Enterprise environment..
It’s not really blocking anything. DoH enables encrytped DNS. You would need to implement DoH on your business DNS server.
Nice information, appreciate it.Cheers.
Thank you for that, I now feel a little more secure and trusting of my DNS
Nice one, and it’s helpful in getting secure from cyber attacks.
Hello Nathan! DoH protocol was one of the hot topics of last year, this protocol encrypts DNS traffic and helps in improving the user’s privacy on the internet.
That it does!